crazylazy.info

txt



Cyper-security as a term has this science-fiction charm. It's like the world of tomorrow, directly projected into our living rooms, in front of our desks' (IT) work, in our pockets through smart-phones. An omniscient omnipresent force: technology. While constantly changing its colorful face it's the most complex thing mankind has ever created, too. So it's time to weaponize it. Again.

Today is the 20th birthday of the World Wide Web. If you remember the Web 10-15 years ago, it was a kind of peaceful place: we didn't need SSL for every service (telnet, pop, http, nntp), we didn't use proxies, had no need to obfuscate our web-traffic. Gosh, we used telnet for BBS. Who had multiple passwords, a password manager and a Mandatory Access Control on his system in 95 or so? Or network separation through NAT, firewalls, DMZs... network inspection through IDS or DPI. Latter is quite interesting: if you don't encrypt your traffic well enough this directly harms your privacy while an IDS just looks for certain traffic signatures that describe unwanted service-behavior.

Monitoring, surveillance - the way to gain control. If you doubt that things tend to repeat, have a look at how the book-industry dealt with Gutenberg and how they deal with ePaper. They learned nothing.

What's even more interesting is the argumentation and how easy you can discover lies; but how easy it's to defy the truth. Content industry in general says we need to end network (neutrality) because they don't earn enough money and want more. Because of the fact that this is a very stupid argument politic says: "Yes, there're Terrorists and there's child-pornography everywhere!" So we need to end it. And because of the fact that the Content Industry earns a huge amount of money, they just buy politicians. Not directly, but they've got well-paid positions to offer. Devil's circle: everybody want's a piece of this cake.

And the problem remains: information technology is omni-present today and reveals a lot about our bad habits and interests, about our identity and friends'. So what ever is installed to keep the system like it is to resist (too fast) changes: it will harm freedom and privacy. Because it affects technology, which represents exactly: creativity, communication, freedom... how our way of living changed. In many cases technology consists of, you could say, outsourced parts of our minds. It doesn't just change communication and working. It changes everything and us. That's (technological) evolution.

Recapitulating IT security's evolution again is sad: we have to install a lot today to keep the business going. Criminals in general are a huge problem (and I tend to count many politicians to those). But what's much more problematic than stupid botnets or viruses like Confickr, more dangerous than these demonized haxx0rs or even information leakage (through ex-employees, database faults) - anything which represents software-faults in general - is the society itself. Hobbes' homo hominis lupos: data leakage is a problem because people want to abuse information against each other. Hackers are a problem because of people's fear. And the WWW is a problem because of many fears that we have to overcome quickly. The fear to have to change, or to have to tolerate, or to have to learn have no place in our globalized world. We simply can't afford these weaknesses any longer.

Switching back to geeky: pranks

Prank calls are something that works. It's just funny.

The workers said they became suspicious when the caller then told them to urinate on each other.

Okay - childish? Here's the record. Was even in the media. You may think it's funny, or may not. Okay, we're all adults. So it's beneath our standard to laugh about minimum wage employees getting tricked by a ... master of social engineering?! I mean, of course this is immature. But it worked! It's a general lesson to bring into companies. And I'm glad to have a humorous example, that I can use for teaching. Nobody believes that kind of stuff without example.

msfencode -c circumvents AV

Checkout the SVN repro. I hope there'll be a packer soon.

I personally don't see any reason for signature-dependant Anti Virus as long as the behavior analysis stuff doesn't come out to be effective. Isolating software-faults through - in most cases stupid AV - software - cannot work. It's theoretically impossible to reduce (false) semantics by adding complexity. Complexity like more software, more code, more instructions. Even if you heuristically scan through opcode, you're just applying some voodoo because you can't de-obfuscate encoded binaries reliably.

If old Malware still works, the vendor of the affected product just sucks. Of course AV is important nowadays in business for perimeter defense strategies, but you should consider that its time is going to be over sooner than you expect. And that's the problem: rely on it and lose.

CODEZ are up

Okay, now we could argue about the style or so. In any case the codez are up. I recently posted jeriko, which is THE shell wrapper for pentesting commands. Very useable, easy to control, and minimal. It just makes sense. The python-SSL proxy could be nice to test webshops, whose owners think SSL solves their code-problems. It just doesn't ;).

Papers of the week

hd twittered a paper, dealing with password-patterns. I'm not through it, but it seems kewl for any It security person.

wishi is a nick ;). I think this is funny. Means: "the flow" in case of water. Sometimes it turns out things make sense...


So, now let's celebrate the WWW's 20th the nerdy way: happy surfing and have fun,
wishi